[DRAFT] Confidential Containers - Skip pullimage for runtimes that are handling it #8008
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
With #7471 we introduced a way to support Confidential Container's feature of pulling the image in the guest VM.
When this happens, cri-o is still pulling the image on the host, because kubernetes keeps sending the "PullImageRequest", and cri-o has no reason to not process it.
This has two drawbacks:
This failure will block the container creation, as kubernetes will not proceed with CreateContainer if PullImage failed.
This PR is meant to make crio skip the pull image phase when the runtime is configured with the "runtime_pull_image" flag introduced in #7471
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
I have modified the code in crio to skip the pull image processing when the runtime is configured with the "runtime_pull_image" flag.
Crio then just reports a success status to kubernetes, which is happy with that, even when subsequent ImageList or ImageStatus report the image is missing.
This is the first commit of this PR (5c8d55f).
Now this is not enough: further on, crio still need to access the metadata of the image, and this is failing because it was not pulled.
This is happening in various places of the createSandboxContainer() function.
I've tried to fix that in various ways, but each failure that I fix leads to another one down the road.
An idea that I had was to let crio use the pause image as a fake rootfs to work on, letting the runtime deal with the actual image. This is what I have in the second commit of this PR. (df446ee)
But this is still causing issues as then the container tries to run "/pause", as instructed by the pause image config that crio read and sends to the runtime.
At this point, I realize that I miss a higher level standpoint to understand how image pull/prepare is done, what crio actually need, and what we can skip.
My understanding of container encryption is that only the layers are encrypted, not the config or manifest.
Is there a way for crio to get the config/manifest it needs from the repository, without getting the layers?
Would that be enough to go through this function and proceed with the container creation?
Any help is welcome.
Does this PR introduce a user-facing change?